W3C Using FIDO To Improve Password-Based Web Security

The World Wide Web Consortium (W3C) announced this week that it has formed a new Web Authentication Working Group to improve Web access security.

The group will devise a new standard aimed at supplanting the current reliance on passwords for Web authentications. Its activities will complement the W3C's Web Application Security and Web Cryptography efforts. The first meeting of the new Web Authentication Working Group will take place in San Francisco on March 4.

The efforts of the Web Authentication Working Group will be based, in part, on Fast IDentity Online (FIDO) 2.0 Web APIs. Those APIs already have been submitted to the W3C by the FIDO Alliance, an industry coalition.

The FIDO Alliance started out as effort to use biometrics for Web authentications. It was initiated by PayPal and various hardware makers in 2012. Later, the FIDO Alliance adopted an open standard for Web authentications championed by Google and other companies.

The current FIDO specifications outline a public key-private key authentication service in which the private key always stays with the device. Access to the private key gets unlocked by the user. That's done by entering a personal identification number (PIN) or biometrics can be used, such as a finger swipe on a device. This approach purportedly makes the public password useless by itself, which could serve as a security deterrent.

"This approach dramatically alters the economics of attacks on service providers and their password stores," a recent PayPal blog post explained. "For each service provider that a user interacts with, a unique private/public key pair is generated. Not only does this ensure that service providers are unable to use protocol artifacts to collude in user-unwanted ways, it renders the public key store of little to no value to fraudsters. Attacks at scale through exfiltration of passwords are no longer a viable means of generating revenue -- the ultimate goal of fraudsters."

Microsoft currently supports FIDO 2.0 in Windows 10, particularly with its Windows Hello biometric security feature. Intel also has a similar authentication solution based on its sixth-generation firmware. The Intel Authenticate solution supports multifactor authentication for PCs. It uses Microsoft's Windows Hello solution to support the biometric verification process.